Bypass queue restrictions with the super user capability for Splunk SOAR integration users

Splunk SOAR integration

When Splunk ES is paired with Splunk SOAR, the es_soar_integration_user service account is automatically created with the es_soar_integration role. This role includes the es_team_queue_super_user capability by default, ensuring that Splunk SOAR functionality is accessible from any queue. There is no manual configuration required for the Splunk SOAR integration to work with team queues.

Any user with access to the Splunk SOAR debugger can also run actions as the es_soar_integration_user service account. This means they inherit the es_team_queue_super_user capability and can access all team queues.

When to use the super user capability

Assign es_team_queue_super_user when a user needs the following:

• Unrestricted access to all team queues

• The ability to manage or triage findings across multiple teams

• Integration capabilities from Splunk SOAR

How to assign the super user capability

In the Splunk Web menu bar, follow these steps:

1. Navigate to Settings then Access Controls and then Roles.

2. Select or create the target role.

3. Under Capabilities, add es_team_queue_super_user.

4. Save the role.

Best practices for using the super user capability

Make Splunk SOAR playbooks queue-specific to avoid issues relating to create and update permissions.

Troubleshooting

Splunk SOAR cannot update findings after Splunk ES 8.5 upgrade:

1. Verify that the es_soar_integration_user exists and has the es_soar_integration role.

2. Confirm the es_soar_integration role includes the es_team_queue_super_user capability.

3. Re-pair Splunk SOAR with Splunk ES if the service account was manually modified.

Custom integration user lacks team queue access:

1. Add the es_team_queue_super_user capability to the integration user's role.

2. Restart the integration or re-authenticate.